Security Risks of Instant Messaging in the Workplace

Security Risks of Instant Messaging in the Workplace Imtiaz Paniwala Instructor: Dr. Yang Date: March 24, 2004

Introduction l l l Instant messaging is an Internet service that allows the user to communicate in real time with other users who have the same instant messaging application. EIM is an abbreviation for "enterprise instant messaging. " Instant messaging applications are generally categorized as either being public or enterprise. AOL's instant messenger (AIM), Yahoo Messenger and Microsoft. NET Messenger are examples of public IM services. Anyone on the Internet can sign up, download the software and begin messaging. Sun ONE Instant Messaging, IBM Lotus Instant Messaging & Web Conferencing (formerly called Sametime) and Microsoft Office Live Communications Server 2003 (formerly called Greenwich) are examples of enterprise IM services. Access to the IM server is restricted and security precautions, such as encryption, are put in place to protect the enterprise network.

Who is using instant messaging? l 90% of businesses will use IM by end of 2004. (Gartner IM Trends) l Corporate IM is expected to replace 65% of e-mail usage by 2004. (Information Week) l 65 million workers are already using instant messaging, and that number is expected to grow to 350 million by 2005. (IDC Research) l Corporate IM usage is expected to account for nearly 60% of all online traffic by 2005. (Ferris Research) As more IT departments become convinced of the value of IM as a business communications tool and begin looking for ways to exert control, implement security measures and integrate instant messaging with other groupware components, unmanaged IM use in the enterprise is likely to become a thing of the past.

What's Hot , What's Not ? l l AIM (AOL Instant Messenger) www. aim. com. 59. 7 million users ICQ www. icq. com 6. 2 million users. net Messenger www. messenger. msn. com 23. 1 million users Yahoo! Messenger www. messenger. yahoo. com. 19. 5 million users Source: com. Score Media Metrix

Did you know? l l l IM worms do not need to scan the internet for the IP addresses of vulnerable systems, a process that greatly slows the spread of traditional worms. Instead, IM worms simply use the infected user's buddy list to find new targets. Even with a scenario in which the buddy lists of infected and target machines were identical except for just one IM user, an IM worm could infect 500, 000 machines in just 31 seconds. The packet sniffing software 'dsniff' (available at http: //www. monkey. org/~dugsong/dsniff/) is able to decipher AIM passwords on the fly. One or two “clicks” in. net messenger allows a remote user to control your computer Yahoo! Messenger has the weakest security features of the major messaging platforms. Its protocol does not encrypt usernames and passwords, making it risky to even log into the system. ICQ has been the target of many Do. S bugs and at least one remote buffer overflow.

Common threats 1. 2. 3. 4. Weakened security settings. During installation, instant messaging software may change browser security settings, placing the computer at risk. Readability by intruders. Instant messaging sessions are conducted in plain, unencrypted text, and are an open book to a reasonably skilled intruder. Intrusion on privacy. By design, instant messaging software runs continuously as a background task and broadcasts the computer's presence online even if the interface is closed. (A separate "exit" action is needed to stop it. ) In addition, instant messaging software may store the content of an instant messaging session in a log-file that could be read by others. Hijacking and impersonation. Instant messaging accounts are vulnerable to hijacking or spoofing, allowing an intruder to impersonate someone in conversations with others.

Common threats contd. 5. 6. 7. 8. Malicious code. Instant messaging establishes an open communications channel to the computer that can be exploited by malicious code such as worms, viruses, and Trojan horses. Unauthorized access. Instant messaging users can potentially access each others hard drives and files during a session, placing the computer at the disposal of would-be hackers. Poor password security. Instant messaging software typically stores passwords in a manner that is highly vulnerable to hackers. No virus protection. Instant messaging sessions are not virus protected and can freely spread virus-ridden files.

INSTANT MESSAGING BEST PRACTICES l 1. 2. 3. 4. 5. 6. Establish a corporate instant messaging usage policy Properly configure corporate perimeter firewalls Deploy desktop antivirus software Employ personal firewalls to ensure policy compliance Deploy corporate instant messaging servers Install instant messaging patches as soon as possible Use vulnerability management solutions to ensure policy compliance

Recommended instant messaging client settings 1. 2. 3. 4. 5. If a corporation chooses to use an external instant messaging system— one whose servers are operated by the instant messaging provider—the following security practices should be kept in mind: For the best security, do not use any external IM system that does not employ a certified encryption system. Configure all IM clients so that they will accept chat requests only from users specified in employees’ buddy lists. This prevents attackers from connecting to computers on the network and sending malicious code. Only those users explicitly specified by employees should be able to contact them. Configure the IM system to either block file transfers or allow such transfers only from users specified on the buddy list. If this is not feasible, configure the IM software to prompt the employee before all file transfers. Configure the IM system to use antivirus software to scan file transfers, if supported. Configure IM accounts so they are not listed on public servers. This further prevents unsolicited chat requests.

Some security products 1. 2. 3. Top Secret Messenger : Top Secret Messenger (TSM) is product developed by Encryption Software, Inc. It provides a powerful public-key encryption platform, TSM provides integrated add-on for popular instant messengers thus integrating the new IM technology with existing system applications Vayusphere Managed IM Gateway : Vayusphere Mi. G provides controlled employee access to Public IM. It uses relational database to store public IM conversation. This feature allows enterprises to archive and search thereby satisfying the document retention and compliance requirements. Vayusphere MIG supports all major public IM networks. Vayursphere MIG allows creation of usage and traffic reports to dynamically track IM usage 12. A. I. M. Frame : A. I. M. Frame runs on top of AOL’s AIM. A. I. M. Frame records and logs all conversations with date/time stamp. IM logs can be integrated into enterprise databases via ODBC connection. A. I. M Frame also supports encrypted instant messaging to other A. I. M. Frame users.

Conclusion 1. 2. 3. Due to the efficiency and convenience of their communications, instant messaging systems are rapidly becoming very important tools within corporations. Unfortunately, many of the current instant messaging systems are inadequately secured and in turn are exposing some enterprises to serious security and economic breaches. Ideally, corporations looking to leverage instant messaging should deploy a secure, corporate-focused IM solution within the company network, and then layer suitable security systems on top of this solution (firewalls, vulnerability management, antivirus, etc. ) However, many companies continue to permit employees to use popular free IM services. These organizations need to understand the associated security risks and plan accordingly. Clearly, the growth of instant messaging systems will bring greater efficiencies to the global workplace. Only by appropriately securing these systems will businesses be able to reap their full economic benefits.

The intent is not to persuade you NOT to use IM. Just be aware of how you use it. Thank you !!!